From owner-freebsd-isp  Mon Nov  6 14:11:12 2000
Delivered-To: freebsd-isp@freebsd.org
Received: from swan.prod.itd.earthlink.net (swan.prod.itd.earthlink.net [207.217.120.123])
	by hub.freebsd.org (Postfix) with ESMTP id 0D57737B479
	for <freebsd-isp@FreeBSD.ORG>; Mon,  6 Nov 2000 14:11:09 -0800 (PST)
Received: from veager.siteplus.net (user-38lc8u1.dialup.mindspring.com [209.86.35.193])
	by swan.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id OAA26149;
	Mon, 6 Nov 2000 14:10:43 -0800 (PST)
Date: Mon, 6 Nov 2000 17:10:36 -0500 (EST)
From: Jim Weeks <jim@siteplus.net>
To: Steve Price <sprice@hiwaay.net>
Cc: Dave Wilson <davew@sai.co.za>, freebsd-isp@FreeBSD.ORG
Subject: Re: Limited FTP accounts
In-Reply-To: <20001106110328.B70975@bonsai.knology.net>
Message-ID: <Pine.BSF.4.21.0011061650150.1769-100000@veager.siteplus.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


On Mon, 6 Nov 2000, Steve Price wrote:

> On Mon, Nov 06, 2000 at 02:19:24PM +0200, Dave Wilson wrote:
> # 
> # Any one got any ideas on how to restrict an FTP user to only accessing his
> # home directory and nothing else ?
> # See I want a normal user to have access to nothing else other than his home
> # directory.
> 
> >From the ftpd() manpage:
> 
>     5.   If the user name appears in the file /etc/ftpchroot, or the
>          user is a member of a group with a group entry in this file,
>          i.e. one prefixed with `@', the session's root will be changed
>          to the user's login directory by chroot(2) as for an
>          ``anonymous'' or ``ftp'' account (see next item).  This facil-
>          ity may also be triggered by enabling the boolean "ftp-chroot"
>          capability in login.conf(5).  However, the user must still
>          supply a password.  This feature is intended as a compromise
>          between a fully anonymous account and a fully privileged ac-
>          count.  The account should also be set up as for an anonymous
>          account.

The only problem with this is that the user can not cd into a soft linked
web directory.  

Example of the web tree: 
"/usr/local/www/data/user"

Example of home: 
"/usr/home/user" with a "ln -s /usr/local/www/data/user www"
where www is a soft link to the true server tree.

If your machine is already set up this way you may want to move
"/usr/local/www/data/user" to "/usr/home/www" and ad a link in the server
tree like "ln -s /usr/home/www user".  This will work.

If your version is 4.X or above "FTPD_INTERNAL_LS" is already
functional.  If you are using 3.5 or bellow you will need to make and
install /usr/src/libexec/ftpd with "FTPD_INTERNAL_LS" defined.  This is
necessary for the user to be able to ls his/her directories under chroot.

Hope this helps,

Jim



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message